The Sandworm APT uses Industroyer2 to target Ukraine’s energy sector

Sandworm APT Threat Group Industroyer2 Ukraine Energy Sector

Russia’s Sandworm advanced persistent threat (APT) group has been seen compromising supplies in Ukraine by interrupting its electric transformers using the Industroyer2. Moreover, the group uses the latest wipers and worms to target multiple operating systems such as Solaris, Windows, and Linux.

According to the joint advisory published by CERT-UA and security researchers, they have identified an updated variant of Industroyer, which they named Industroyer2. In their latest espionage campaign, the Sandworm group utilises several malware strains such as AwfulShred, OrcShred, SoloShred, and CaddyWiper.

It is still unknown how the malicious threat actors managed to infect the targeted systems and freely navigate from the IT network to the ICS network of Ukraine’s high-voltage electrical substations.


The operators of Industroyer2 have carefully planned their attacks since attacking the sector is not an easy feat.


Researchers indicated that the Russia-based Sandworm APT group deployed the Industroyer2 by disguising it as a single Windows executable. Additionally, the group executed the attacks using a scheduled task on the first week of April. The adversaries compiled the executable on March 23, implying that the threat actors carefully planned the attacks for more than 14 days.

However, Industroyer2 implements only the protocol called IEC-104 for establishing communications with industrial equipment. It also shares numerous code identicality with the first variant’s dll payload called 104[.]dll.

This second variant of Industroyer is highly configurable and has a particular configuration coded in its main body. Industroyer2 also requires the attackers to recompile the malware for every new target.

Lastly, the threat actors deploy a new strain of CaddyWiper, which now contains a new loader labelled ArguePatch. The newly discovered loader is a repaired version of a legitimate component of Hex-Rays IDA Pro software.

The conflict between Ukraine and Russia has given birth to new cyber-attacking methods and new developments for cyberwarfare. The introduction of the modified Industroyer indicates that Ukraine is a more significant threat.

Experts suggest that Ukrainian organisations should follow the given recommendation of CERT-UA to avoid such threats in the future.

About the author

Leave a Reply